UPDATE: Solution detailed at the bottom, currently Rights Management can only be enabled by PowerShell because – well – Microsoft.
I’ve adapted a quote often used for REGEX to summarise the problems of setting up Microsoft Information Protection within Microsoft 365:
“So you have a problem you can only solve via Microsoft Information Protection (AKA Azure Information Protection)? Well now you have two problems”
Like many people, I’ve suffered through Microsoft’s never-ending security product realignments, name changes, license changes and feature-shifts but I persevered because ultimately the end solution is worth it: Encrypted documents that provide protection beyond the borders of your network or 365 tenancy.
Unfortunately, the latest shift which – as far as I can tell – is moving from Azure Information Protection to MIcrosoft 365 Information Protection, it’s a nightmare with out of date documents, tutorials and product descriptions having me stuck in a loop. I pulled this blog post together in the hope that I’ll eventually find a solution and it will provide a guide for other lost souls.
The requirement
Like any solution, I started off with a requirement: I want to enable data classification labels for my Microsoft 365 documents and apply restrictions to some of them so they cannot be accessed by users that haven’t authenticated for a week.
Simple right?
Setting up Microsoft Information Protection
First things first, I made sure I had a license that included Azure Information Protection because as far as I’m concerned, that is what I’m still using.
I opted for Microsoft 365 Business Premium which clearly includes Document classification along with Azure Rights Management and a bunch of other services (see image to the right for more details).
Next, I went to the Microsoft Compliance Portal (https://compliance.microsoft.com/) which has now been weirdly renamed to Microsoft Purview (clearly they haven’t considered that it sounds a little seedy like “Perve View”).
On the left I clicked Data classification and was dismayed to realised, there was no option to make data classification labels here (why?!). Microsoft have instead put an option further down the menu called Information protection for these (despite it only containing labels?),. Clicking it, I then I clicked Labels and then Create a label, going through the fairly clear steps to create a Public label (so one which had virtually no controls) – this worked fine:
Next up, I decided to create a Top Secret label and this is where my troubles began. I managed to get all the way through via the following steps:
Provided the name, title and description
Selected a scope of Files & emails
Selected Encrypt files and emails
Select Configure encryption settings with the following options:
- Assign permissions now or let users decide: Assign permissions now
- User access to content expires: Never
- Allow offline access: 3 (days)
Under Assign permission to specific users and groups I clicked Assign permissions and chose Add all users and groups in your organisation
I enabled Auto-labeling for files and emails and clicked next
Both options under Define protection settings for groups and sites were grayed out
I clicked Create label on the summary page
Now I got my first error, “Rights Management is not active for the tenant”:
The “Diagnostic information” is completely useless to the user and is presumably for those with access to MIcrosoft support (anonymised):
Diagnostic information: {Version:17.00.8328.009,Environment:WEUPROD,DeploymentId:a5d3e4c5a0bf7eaba08f7a0bf4a0a947,InstanceId:WebRole_IN_33,SID:a0bf7a75-a0bf-4cbd-a0bf-b5841a0bf9c4,CID:d49dee0b-b342-a0bf-b942-a0bfd18356322} Time: Fri, 29 Apr 2022 13:52:21 GMT
So now I go on a hunted to find out how to activate/enable “Rights Management” for my tenant, a quick google search for enable “rights management” “microsoft 365” gives me result with the top three being MIcrosoft documents, all which looked good:
Activate rights management in the admin center
Set up Information Rights Management (IRM) in SharePoint admin center
Microsoft 365: Configuration for online services to use the Azure Rights Management service
Let’s review the success (failure) had with each one:
Microsoft Doc 1: Activate rights management in the admin center
This page waffles on about the fact that you need to active Rights Management service (RMS) before you can use the Information Rights Management (IRM) features of Microsoft 365 before providing a link to another document:
For instructions about activating RMS for Microsoft 365, see Activating the protection service from Azure Information Protection.
Hopefully this document, updated just 9 days ago (22 Apr 2022) will solve my issue but already things are starting to get messy, is RMS the same as AIP (Azure Information Protection)? How does RMS and AIP relate to IRM? WTF?
I dutifully carry on and am told that I can “Activate protection via PowerShell” – why the hell would I want to use PowerShell for something that should be a tick box?
Next I see that I can “Activate protection from the Azure portal” – woohoo that sounds more like it, the instructions are simple “Go to and sign in to the Azure portal. Then navigate to the Azure Information Protection pane.” BOOM – I can do this. I head over to https://portal.azure.com/ and search for Azure Information Protection in the search bar, it pops straight up and I’m thinking all is well. Bollocks. The first thing I see is this:
Azure Information Protection labeling and policy management in the Azure Portal, as well as the Azure Information Protection classic client, reached end-of-life on April 1, 2021. Your current labels and labeling policies will continue to function as configured; however, no further support is provided, and maintenance versions will no longer be released for the classic client.
To make changes to your labels and labeling policies, you must migrate to unified labeling and upgrade to the unified labeling client.
Well that’s just splendid, perhaps someone should have told whoever updated the previous document 6 days ago that Azure Information Protection was end-of-life over a year ago!?
Still in Azure, the Unified Labelling section of Azure Information Protection says:
“Unified labeling is activated for this tenant, and you can manage your labels in theMicrosoft 365 Compliance center“
I’m guessing they mean Microsoft Perve-view because there is no Microsoft 365 Compliance center. . . clicking that link takes me back to where I started, the Information Protection section within Microsoft Purview (AKA Microsoft 365 Compliance Center).
Microsoft Doc 2: Set up Information Rights Management (IRM) in SharePoint admin center
Let’s try the next document and see if that helps, this one is so simple I’ve justed included the steps here:
- Sign in as a global admin or SharePoint admin.
- Select the app launcher icon
in the upper-left and choose Admin to open the Microsoft 365 admin center. (If you don’t see the Admin tile, you don’t have administrator permissions in your organization.)
- In the left pane, choose Admin centers > SharePoint admin center.
- In the left pane, choose settings, and then choose classic settings page.
- In the Information Rights Management (IRM) section, choose Use the IRM service specified in your configuration, and then choose Refresh IRM Settings. After you refresh IRM settings, people in your organization can begin using IRM in their SharePoint lists and document libraries. However, the options to do so may take up to an hour to appear in Library Settings and List Settings.
I completed this, returned to Microsoft Purview but unforunately, no dice – this wasn’t the problem either.
Microsoft Doc 3: Configuration for online services to use the Azure Rights Management service
This page immediately launched in to using PowerShell to connect to the Office 365 Exchange server, it immediately fell over when I needed to authenticate, presumably because I have MFA enabled and there didn’t seem to be functionality to support it.
The Solution
So I raised a support ticket with Microsoft and – in their defence – I had a call back and a remote session within an hour.
The support agent agreed with me that there was no way to tell how to solve this from the documentation online, he said simply that the service had changed but the interfaces hadn’t been updated along with it. The only way to solve this was via PowerShell, the steps were:
Firstly, you need to login to Microsoft 365 using the Edge browser because – well – Microsoft.
Then go to the Exchange admin center: https://admin.exchange.microsoft.com/#/homepage
Select the Classic Exchange admin center because – well – Microsoft.: https://outlook.office365.com/ecp/
Click on hybrid from the left hand menu
IMPORANT NOTE: I had to temporarily disable Sopos AV protection for the next step.
Under the text The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely click the configure button
Click Open at the warning message, you should then be presented with a PowerShell prompt
Next, enter the following PowerShell commands:
Connect-aipservice
This should respond with “A connection to the Azure Information Protection service was opened.”
Get-aipservice
If you have the same problem as me, this will respond with Disabled
enable-aipservice
This should respond with The Azure Information Protection service has been successfully enabled although additional configuration of other services might be required.
Get-aipservice
This should now respond with Enabled – yay!
I then went and attempted to created a data classification label with encryption and it worked!
Thanks for this – I had exactly the same experience and thought I was being dense. Turns out, all the documentation goes in circles… and it’s been 9 months since you wrote this article.
Also, a tip, don’t dare try to install the AIPservice module in PowerShell 7. It will install, but you can’t use it — it will fail to connect telling you your credentials are wrong, but of course they’re not. You must use Windows PowerShell. “Note the AIPService PowerShell module only supports Windows PowerShell. PowerShell 7 is not supported.” https://learn.microsoft.com/en-us/azure/information-protection/install-powershell
Just like the absolute mess of MS compliance offering, so is the entire PowerShell experience. “Let’s name two different products PowerShell and then make some things work in one and some work in another, and some work in both, and then tell people their password is wrong if something is incompatible!”
Yep it’s a complete mess. I got excited to try the Phishing Attack Simulator in the Defender Portal, Purview, Security Centre or whatever its called this week and it was a disaster, loads of users being set training that hadn’t clicked a link (even the data from the tool itself confirmed this) and best of all, MIcrosoft randomly decided to start using a domain name they didn’t own for emails from the platform, effectively spoofing – I wrote an article about it here: https://seguro.ltd/news/microsoft-is-spoofing-email-from-a-massachusetts-family-run-business/